Check: AOSX-13-000554
Apple OS X 10.13 STIG:
AOSX-13-000554
(in versions v2 r5 through v1 r1)
Title
The macOS system must not have a guest account. (Cat I impact)
Discussion
Only authorized individuals should be allowed to obtain access to operating system components. Permitting access via a guest account provides unauthenticated access to any person.
Check Content
To check if the guest user exists, run the following command: dscl . list /Users | grep -i Guest To verify that Guest user cannot unlock volume, run the following command: fdesetup list To check if the system is configured to prohibit user installation of software, first check to ensure the Parental Controls are enabled with the following command: /usr/sbin/system_profiler SPConfigurationProfileDataType | /usr/bin/grep -E '(DisableGuestAccount | EnableGuestAccount)’ If the result is null or not: DisableGuestAccount = 1; EnableGuestAccount = 0; This is a finding.
Fix Text
Remove the guest user with the following command: sudo dscl . delete /Users/Guest "This can also be managed with "Login Window Policy" configuration profile.
Additional Identifiers
Rule ID: SV-214868r609363_rule
Vulnerability ID: V-214868
Group Title: SRG-OS-000364-GPOS-00151
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001813 |
The information system enforces access restrictions. |
Controls
Number | Title |
---|---|
CM-5 (1) |
Automated Access Enforcement / Auditing |